Class: Yawast::Scanner::Core

Inherits:
Object
  • Object
show all
Defined in:
lib/scanner/core.rb

Class Method Summary collapse

Class Method Details

.check_ssl(uri, options, head) ⇒ Object 



112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# File 'lib/scanner/core.rb', line 112

def self.check_ssl(uri, options, head)
  setup(uri, options)

  if @uri.scheme == 'https' && !options.nossl
    head = get_head if head.nil?

    if options.internalssl || IPAddress.valid?(@uri.host) || @uri.port != 443
      Yawast::Scanner::Ssl.info(@uri, !options.nociphers, options.tdessessioncount)
    else
      Yawast::Scanner::SslLabs.info(@uri, options.tdessessioncount)
    end

    Yawast::Scanner::Plugins::SSL::SSL.check_hsts(head)
    Yawast::Scanner::Plugins::SSL::SSL.check_hsts_preload @uri
  elsif @uri.scheme == 'http'
    puts 'Skipping TLS checks; URL is not HTTPS'
  end
end

.get_cms(uri, options) ⇒ Object 



105
106
107
108
109
110
 
# File 'lib/scanner/core.rb', line 105

def self.get_cms(uri, options)
  setup(uri, options)

  body = Yawast::Shared::Http.get(uri)
  Yawast::Scanner::Plugins::Applications::CMS::Generic.get_generator(body)
end

.get_headObject 



131
132
133
134
135
136
137
138
 
# File 'lib/scanner/core.rb', line 131

def self.get_head
  begin
    Yawast::Shared::Http.head(@uri)
  rescue => e # rubocop:disable Style/RescueStandardError
    Yawast::Utilities.puts_error "Fatal Connection Error: Unable to complete HEAD request from '#{@uri}' (#{e.class}: #{e.message})"
    exit 1
  end
end

.print_headerObject 



6
7
8
9
10
11
 
# File 'lib/scanner/core.rb', line 6

def self.print_header
  Yawast.header

  puts "Scanning: #{@uri}"
  puts
end

.process(uri, options) ⇒ Object 



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'lib/scanner/core.rb', line 37

def self.process(uri, options)
  # get the start time, so we can display elapsed time
  start_time = Time.now

  setup(uri, options)

  begin
    # setup the proxy
    Yawast::Shared::Http.setup(options.proxy, options.cookie)

    # cache the HEAD result, so that we can minimize hits
    head = get_head
    Yawast::Shared::Output.log_hash 'http', 'head', 'raw', head.to_hash
    Yawast::Scanner::Generic.head_info(head, @uri)

    # perform SSL checks
    check_ssl(@uri, options, head)

    # process the 'scan' stuff that goes beyond 'head'
    unless options.head
      # connection details for SSL
      Yawast::Scanner::Plugins::SSL::SSL.ssl_connection_info @uri

      if Yawast.options.vuln_scan
        # new scanner-----------------------------------------------------
        # this is the new model, that will eventually become the default--
        # ----------------------------------------------------------------

        Yawast::Scanner::VulnScan.scan(@uri, options, head)
      else
        # legacy checks --------------------------------------------------
        # try not to break these, until the old scanner model is removed--
        # ----------------------------------------------------------------

        # server specific checks
        Yawast::Scanner::Plugins::Servers::Apache.check_all(@uri)
        Yawast::Scanner::Plugins::Servers::Nginx.check_all(@uri)
        Yawast::Scanner::Plugins::Servers::Iis.check_all(@uri, head)

        Yawast::Scanner::Plugins::Http::FilePresence.check_all @uri, options.files

        # generic header checks
        Yawast::Scanner::Plugins::Http::Generic.check_propfind(@uri)
        Yawast::Scanner::Plugins::Http::Generic.check_options(@uri)
        Yawast::Scanner::Plugins::Http::Generic.check_trace(@uri)

        Yawast::Scanner::Plugins::Spider::Spider.spider(@uri) if options.spider
      end

      # check for common directories
      if options.dir
        Yawast::Scanner::Plugins::Http::DirectorySearch.search @uri, options.dirrecursive, options.dirlistredir
      end

      get_cms(@uri, options)
    end

    # get the total time to complete the scan. this works as long as the scan take
    # less than 24 hours. if a scan is that long, we have bigger problems
    elapsed_time = Time.at(Time.now - start_time).utc.strftime('%H:%M:%S')

    Yawast::Shared::Output.write_file
    puts "Scan complete (#{elapsed_time})."
  rescue => e # rubocop:disable Style/RescueStandardError
    Yawast::Utilities.puts_error "Fatal Error: Can not continue. (#{e.class}: #{e.message})"
  end
end

.setup(uri, options) ⇒ Object 



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
# File 'lib/scanner/core.rb', line 13

def self.setup(uri, options)
  unless @setup
    @uri = uri

    print_header

    Yawast::Shared::Output.setup @uri, options if options.output != nil
    Yawast::Shared::Output.set_current_uri @uri

    ssl_redirect = Yawast::Scanner::Plugins::SSL::SSL.check_for_ssl_redirect @uri
    if ssl_redirect
      @uri = ssl_redirect
      puts "Server redirects to TLS: Scanning: #{@uri}"
      Yawast::Shared::Output.log_value 'server_tls_redirect', @uri
    end

    Yawast::Scanner::Plugins::SSL::SSL.set_openssl_options

    Yawast::Scanner::Plugins::DNS::Generic.dns_info @uri, options unless options.nodns
  end

  @setup = true
end